June 30, 2005

A class-action suit has been filed in California against CardSystems, Visa, and MasterCard seeking a declaration that CardSystems violated due standards of care in its data-security methods and that the card companies failed to provide timely notice of the nature and extent to which credit-card data was compromised.

According to the lawsuit, CardSystems had been alerted "by other entities" late last year that consumer data had been exposed and failed to take prompt remedial action or notify consumers. The suit alleges that CardSystems violated Visa and MasterCard rules against storing consumer information and also violated the Payment Card Industry Data Security standard by improperly storing credit-card and transaction data, failing to maintain a firewall, failing to restrict access to its computers, and failing to encrypt cardholder data.

The suit charges that MasterCard was remiss in not publicly disclosing the breach until June 17, even though it had been informed by CardSystems of the breach in May and had traced fraudulent incidents back to CardSystems in April.

Read the full complaint: http://www.techfirm.com/cardsystems.pdf

ABOUT THE AUTHOR